OSVDB ID: 19653

Title: Interchange Demo Catalogs submit.html type Variable Arbitrary ITL Code Injection

Info

Disclosure

Sep 22, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

Interchange contains a flaw that may allow a remote attacker to inject arbitrary ITL code. The issue is due to the forum/submit.html program not properly sanitizing user supplied input. This may allow an attacker to inject arbitrary ITL commands which will be executed by the vulnerable script.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
OSVDB: Web Related

Solution

Upgrade to version 5.0.2, 5.2.1 or higher, as they have been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): delete the submit.html file if forums are not used.

Products

Interchange Development Group	Interchange	5.0.0
		5.0.1
		5.2.0
		4.9.4
		4.9.5
		4.9.6
		4.9.8
		4.9.9

References

Secunia Advisory ID: 16923
Related OSVDB ID: 19652
CVE ID: 2005-3073 (see also: NVD)
Mail List Post: http://www.icdevgroup.org/pipermail/interchange-users/2005-September/043899.html
http://www.icdevgroup.org/pipermail/interchange-users/2005-September/043900.html
Keyword: Interchange Tag Language

Credit

Neal - Webmaint

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Interchange Development Group

Interchange

References

Credit